Washington D.C.
Regular
R&D - Security
Job ID: A251946
Responsibilities
Team Intro The USDS Security - Governance, Risk & Compliance team is responsible for managing USDS security compliance in accordance with US compliance requirements and objectives, and providing industry leading governance, risk, and compliance services. The core service offerings include: Compliance & Security Risk Management, Controls & Compliance Framework, Security Compliance Policies, Charters, & Protocols, Vendor Program & Third-Party Risk Management, Governance, Risk, & Compliance (GRC) Platform, and Security & Compliance Behavior & Culture. About the Role TikTok USDS JV is seeking a Third-Party Risk Management ("TPRM") Lead to be part of the US Security & Privacy, Governance, Risk and Compliance team. This role will have a significant impact on reducing third-party and supply chain risk for USDS JV compliant operations and maturing TPRM capabilities. The primary focus of this role will be to enhance the program's foundation, utilize technology to drive efficiencies, and continuously improve a data-driven TPRM program. The TPRM Lead must have a "business first" and customer service mindset, leveraging automation and AI to achieve scale and efficiency without sacrificing compliance. They also must become a thought leader in the intricacies and nuances of the JV's compliance requirements, to enable the business with a critical thinking risk-based approach. Responsibilities include but are not limited to: - Lead the end-to-end Third-Party Risk Management lifecycle (intake, due diligence, contracting, ongoing monitoring, and exit) for relevant third-parties, aligning to enterprise risk, national security compliance, security, privacy, and resilience requirements - Design and maintain the TPRM operating model, including roles and responsibilities, RACI, and handoffs across cross-functional business teams, Procurement, Legal, Security & Privacy - Implement and continuously refine automation- and AI-enabled workflows (e.g., dynamic questionnaires, evidence collection, control testing, and issue tracking) to scale assessments, reduce manual effort, and show measurable efficiencies - Develop and manage continuous control monitoring and data-driven vendor risk scoring, leveraging internal and external data sources (e.g., security ratings, vulnerability and incident data, SOC 2 reports) to produce actionable risk indicators, including supply chain and concentration risk - Translate regulatory requirements and industry frameworks (e.g., NIST CSF, NIST 800-53, ISO 27001, SOC 2, SIG/CAIQ) into practical third-party control requirements, playbooks, and testing procedures - Prepare and present clear metrics, dashboards, and narratives on third-party risk posture, key issues, and remediation progress to senior leadership, governance forums, and audit stakeholders - Drive remediation and risk decisions with influence, partnering with senior leaders to resolve material third-party issues, shape risk acceptance decisions, and ensure timely closure of gaps
Qualifications
Minimum Qualifications: - Bachelor’s degree or equivalent practical experience & 5+ years of applicable experience in information security, risk management, privacy, or compliance, with significant experience focused on Third-Party Risk Management, vendor risk, or supply chain security in a program leadership role - Proven experience designing, implementing, and operating TPRM processes across the third-party lifecycle (intake, due diligence, contracting, ongoing monitoring, and termination) in a highly regulated or high-risk environment as well as Hands-on experience evaluating technical and procedural controls at third parties, interpreting SOC 2 and similar assurance reports, and reviewing supporting evidence with infrastructure, application, and security engineering teams - Strong working knowledge of information security and privacy control frameworks as applied to third parties (e.g., NIST CSF, NIST 800-53, ISO 27001, SOC 2, SIG/CAIQ, vendor due diligence standards) - Experience designing or using vendor risk scoring models, key risk indicators, and dashboards to monitor third-party risk posture and drive measurable outcomes while Demonstrating ability to design and improve process automation using modern GRC/TPRM tooling (e.g., Archer, ServiceNow, OneTrust, ProcessUnity or similar), including leveraging rules, integrations, and AI-enabled capabilities to streamline assessments and monitoring - Proven ability to build cross-functional relationships with technology and engineering teams to enable technical workflows and advancements to the program while Demonstrating success leading cross-functional initiatives and influencing stakeholders across Procurement, Legal, Privacy, Security, Engineering, Finance, and business teams without direct authority - Excellent communication skills, with the ability to translate complex technical and regulatory concepts into clear, business-focused narratives for diverse audiences - Familiarity with US-centric regulatory expectations related to third-party risk, data protection, and security (e.g., federal and state privacy and cybersecurity requirements, industry supervisory guidance) Preferred Qualifications: - Experience building, scaling, or modernizing Third-Party Risk Management programs in highly regulated or US-critical sectors (e.g., financial services, telecommunications, cloud, or public sector), including close partnership with Privacy and Legal teams to align TPRM controls with data protection requirements - Experience designing continuous control monitoring, automation, and data pipelines for third-party risk (e.g., integrating external security ratings, SIG/CAIQ responses, SOC 2 outputs, vulnerability and incident data), including experimentation with AI/ML or advanced analytics to identify anomalies and prioritize remediation - Relevant professional certifications such as CTPRP, CTPRA, CISA, CISSP, CISM, CRISC, or similar
Job Information
【For Pay Transparency】 Compensation Description (Annually) - Washington, DC
The base salary range for this position in the selected city is $ 132480 - $ 336960 annually.
Compensation may vary outside of this range depending on a number of factors, including a candidate’s qualifications, skills, competencies and experience, and location. Base pay is one part of the Total Package that is provided to compensate and recognize employees for their work, and this role may be eligible for additional discretionary bonuses/incentives, and restricted stock units.
Benefits may vary depending on the nature of employment and the country work location. Employees have day one access to medical, dental, and vision insurance, a 401(k) savings plan with company match, paid parental leave, short-term and long-term disability coverage, life insurance, wellbeing benefits, among others. Employees also receive 10 paid holidays per year, 10 paid sick days per year and 17 days of Paid Personal Time (prorated upon hire with increasing accruals by tenure).
The Company reserves the right to modify or change these benefits programs at any time, with or without notice.
About USDS
TikTok USDS Joint Venture LLC is dedicated to the safety and security of millions of Americans who create, discover, and connect with what they love on the apps we operate. The Joint Venture has been established in compliance with the Executive Order signed by President Trump on September 25, 2025. Our foundation is a comprehensive data privacy and cybersecurity program we operate under defined safeguards to protect national security and secure U.S. user data, apps and the algorithm. We safeguard the U.S. content ecosystem, holding decision-making authority for trust and safety policies and moderation. USDS Joint Venture helps ensure Americans can continue to express their creativity, discover new hobbies and interests, and build thriving communities and businesses on a global scale.
On-site presence across teams allows the company to operate with greater speed, alignment, and agility — especially in areas like real-time decision-making, team development, and integrated execution. As such, the company is shifting from a hybrid work model to a fully in-person schedule up to 5 days a week.
Why Join Us
Inspiring creativity is at the core of TikTok's mission. Our innovative product is built to help people authentically express themselves, discover and connect – and our global, diverse teams make that possible. Together, we create value for our communities, inspire creativity and bring joy - a mission we work towards every day.
We strive to do great things with great people. We lead with curiosity, humility, and a desire to make impact in a rapidly growing tech company. Every challenge is an opportunity to learn and innovate as one team. We're resilient and embrace challenges as they come. By constantly iterating and fostering an "Always Day 1" mindset, we achieve meaningful breakthroughs for ourselves, our company, and our users. When we create and grow together, the possibilities are limitless. Join us.
Diversity & Inclusion
TikTok is committed to creating an inclusive space where employees are valued for their skills, experiences, and unique perspectives. Our platform connects people from across the globe and so does our workplace. At TikTok, our mission is to inspire creativity and bring joy. To achieve that goal, we are committed to celebrating our diverse voices and to creating an environment that reflects the many communities we reach. We are passionate about this and hope you are too.
USDS Reasonable Accommodation
USDS is committed to providing reasonable accommodations in our recruitment processes for candidates with disabilities, pregnancy, sincerely held religious beliefs or other reasons protected by applicable laws. If you need assistance or a reasonable accommodation, please reach out to us at https://tinyurl.com/USDS-RA
